b'May 19, 2010\n\nDEBORAH J. JUDY\nDIRECTOR, INFORMATION TECHNOLOGY OPERATIONS\n\nCHARLES L. MCGANN, JR.\nMANAGER, CORPORATE INFORMATION SECURITY\n\nSUBJECT: Audit Report \xe2\x80\x93 Modem Security at the xxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxx (Report Number IS-AR-10-009)\n\nThis report presents the results of our self-initiated audit of modem security at the\n                                                                 (Project Number\n10RG013IT000). Our objective was to determine whether controls over modems are\nadequate to protect information resources at the                    This audit addresses\noperational risk. See Appendix A for additional information about this audit.\n\nModem security is essential to preserve the integrity and confidentiality of the U.S.\nPostal Service network. Policy1 prohibits accessing the intranet via a modem without the\nexplicit approval of the manager, Corporate Information Security Office Information\nSecurity Services. Unsecure or unauthorized modems may provide malicious users\nundetected access to Postal Service information resources.\n\nConclusion\n\nSecurity controls over modems are adequate to protect information resources at the\n              . Using security software, we scanned 4,906 telephone numbers dedicated\nto the               and identified five modems. We were unable to penetrate these\nmodems to gain access to information resources on the Postal Service network.\nHowever, management can improve controls over modems by performing required\nmodem security assessments and properly accounting for modems.\n\n\n\n\n1\n Handbook AS-805, Information Security, Section 5-5, Prohibited Uses of Information Resources, dated November\n2009.\n\x0cModem Security at the                                                                               IS-AR-10-009\n\n\n\n\nModem Security Assessments\n\nManagement is not performing modem security assessments at the                    . This\noccurred because management viewed the assessments as a lower priority to other\nassessments including payment card industry scans and certifications and\naccreditations. Administrators last performed an assessment of the                in\nSeptember 2007. Postal Service policy requires protection of the network infrastructure\nthrough vulnerability scans, penetration testing, and assessments.2 By performing\nmodem security assessments, management can reduce the risk associated with\nunauthorized or incorrectly configured modems that could provide malicious users with\nunauthorized \xe2\x80\x93 and potentially undetected \xe2\x80\x93 access to Postal Service information\nresources.\n\nWe recommend the manager, Corporate Information Security, direct the manager,\nNational Information System Security, to:\n\n1. Periodically identify and assess modems at the\n                   and communicate the results to the manager, Telecommunication\n   Services.\n\nModem Accountability\n\nManagement does not maintain an asset inventory of modems. Policy3 requires\nmanagement to maintain an accurate inventory of modems to identify unauthorized\nmodems. This occurred because Postal Service management was relying on contract\nservice providers to properly account for the modems.4 Unauthorized modems could\nprovide users unintended \xe2\x80\x93 and potentially undetected \xe2\x80\x93 access to networked\ninformation resources.\n\nWe recommend the director, Information Technology Operations, direct the manager,\nTelecommunication Services, to:\n\n2. Inventory and account for all modems installed at the\n\n\n3. Use the security assessment results to reconcile modem inventories and identify and\n   remove unauthorized modems from the network.\n\n\n\n\n2\n  Handbook AS-805, Section 11-1.2 (i), Network Infrastructure.\n3\n  Handbook AS-805, Section 11-3.2, Maintaining Network Asset Control.\n4\n  Management could not readily identify whether they approved the use of these modems and the applicable\ncontracts did not mention the modems. If management did approve the modems, they did so as part of a larger\nnetwork configuration.\n\n\n\n\n                                                        2\n\x0cModem Security at the                                                       IS-AR-10-009\n\n\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendations. In response to recommendation 1,\nNational Information System Security will perform annual vulnerability assessments of\nall identified modems within the infrastructure and communicate these results to the\nmanager, Telecommunication Services. Moreover, they will report unregistered\nmodems to the Computer Incident Response Team. In response to recommendations 2\nand 3, Telecommunication Services will reconcile and maintain an approved inventory\nof modems. Additionally, they will review modem inventories and remove unauthorized\nmodems from the network.\n\nThe target completion date for recommendations 1 and 3 is September 30, 2010. The\ntarget completion date for recommendation 2 is June 1, 2010. See Appendix B for\nmanagement\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\nmanagement\xe2\x80\x99s corrective actions should resolve the issues identified in the report.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n\n   E-Signed by Darrell E. Benjamin, Jr\n   VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    Charles L. McGann\n    Raymond J. Iandolo\n    Larry K. Wills\n    Sally K. Haring\n\n\n\n\n                                           3\n\x0cModem Security at the                                                                               IS-AR-10-009\n\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe                provides network infrastructure services to Postal Service business\nunits at over 38,000 sites. Telecommunication Services is responsible for providing the\nPostal Service with voice and data communications. Corporate Information Security is\nresponsible for ensuring Postal Service information resources operate in a secure and\ntrusted environment.\n\nModems are devices that transmit data over telephone wires by modulating data into an\naudio signal to send information and demodulating an audio signal into data to receive\nthe information. Modem security is essential to ensure the confidentiality and integrity of\ninformation resources. Postal Service policy prohibits accessing the intranet via\nmodems without explicit approval of the manager, Corporate Information Security Office\nInformation Security Services. Malicious users typically implement war dialing5 to locate\nvulnerable modems and manipulate them to access the network. The presence of\nunsecure or unapproved modems attached to systems can provide users undetected\nand unauthorized access to information resources. PhoneSweep\xc2\xae is a security audit\ntool used to identify security risks such as unsecure modems within a predefined range\nof telephone numbers.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether controls over modems are adequate to protect\ninformation resources at the               To achieve our objective, we obtained a list\nof 4,906 telephone numbers dedicated to the                  From March 4 to 8, 2010,\nwe used PhoneSweep to assess these telephone numbers to identify active modems.\nUsing manual and automated techniques, we attempted to penetrate the identified\nmodems to determine whether the devices grant unauthorized access to Postal Service\ninformation resources. We interviewed key officials and reviewed applicable Postal\nService policies, standards, and procedures.\n\nWe conducted this performance audit from February through May 2010 in accordance\nwith generally accepted government auditing standards and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. In addition, we used manual and\nautomated techniques to analyze computer-processed data and concluded the data\nwere sufficiently reliable to meet the report objective. We discussed our observations\n\n\n5\n War dialing is a computer program used to identify telephone numbers that can successfully make a connection\nwith a computer modem.\n\n\n\n\n                                                        4\n\x0cModem Security at the                                                         IS-AR-10-009\n\n\n\nand conclusions with management officials on April 30, 2010, and included their\ncomments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\n\n\n                                                       Report       Final Report\n                   Report Title                        Number           Date\n     PhoneSweep Security Assessment at the          IS-CS-08-002 9/22/2008\n           Information Technology and\n     Accounting Service Center\n     PhoneSweep Security Assessment at              IS-CS-08-003 9/22/2008\n           Information Technology and\n     Accounting Service Center\n\nThe reports listed above were issued as technical reports and, therefore, did not contain\nformal recommendations. Instead, we urged system administrators to review and use\nthe detailed information in the reports as tools to assist in establishing priorities for\ncorrective action, and implementing repairs as necessary. Both reports noted\nmanagement did not maintain a current inventory of modems.\n\n\n\n\n                                            5\n\x0cModem Security at the                                     IS-AR-10-009\n\n\n\n                        APPENDIX B. MANAGEMENT COMMENTS\n\n\n\n\n                                       6\n\x0cModem Security at the       IS-AR-10-009\n\n\n\n\n                        7\n\x0c'